Managing Printers Using Group Policy

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/Managing-Printers-Group-Policy-Part1.html

PART-1


Group Policy simplifies management of many aspects of an Active Directory-based network. One of the areas Group Policy is useful has to do with managing printers. This article reviews various machine and user policies that can be used to configure shared printers in a domain environment. Afterward we’ll look at a third-party tool that gives you even more options for using Group Policy to manage printers.
Machine Policies for Printers

Figure 1 shows the Group Policy Object Editor of Windows Server 2003 with the policies found under Computer Configuration\Administrative Templates\Printers displayed in the right-hand pane:

Figure 1: Machine policies for managing printers. These policies apply to the domain, OU or site in which the target machines (domain controllers, print servers, or desktops depending on the policy) reside

The machine policies that govern printing can be summarized mainly under the following headings: publishing, pruning, searching, and some miscellaneous machine policies relating to Internet printing, drivers, and other stuff. Let’s look at each of these policy settings briefly.

Note:
Similar to other Group Policy settings, printer policies can be applied at the domain, site, or organizational unit level. For example, to manage printers in an OU (i.e. whose print servers have their computer accounts residing in the OU), create a new Group Policy Object and link it to the OU, then configure the policies described below.
Note:
All screenshots in this article were done on Windows XP and Windows Server 2003. Note that a few printer policies are named differently on Windows 2000.

Publishing

There are three policies that control how printers are published in Active Directory. Publishing a printer means creating an object in Active Directory that is a representation of the printer. If printers are published in Active Directory, users can search for a particular printer based on its name, location, and other properties. This makes it easier for users to find the appropriate printer for a specific job i.e. printing a batch job at night on a heavy duty laser printer, using a color printer, using the closest printer to their location, and so on.
Allow printers to be published
This policy determines whether printers can be published or not in Active Directory. By default, printers can be published, so there’s usually no need to explicitly enable this setting unless it was disabled previously. If you disable this setting however, printers cannot be published, and when you try and share a printer using the Sharing tab, the “List in the directory” option will be unavailable (Figure 2).

Figure 2: If the Allow printers to be published policy is disabled, then the “List in the directory” checkbox shown here is not displayed

Automatically publish new printers in Active Directory
This policy only applies if the “Allow printers to be published”policy is either enabled or not configured. If this is the case, then this policy causes new printers to be automatically published in Active Directory when you create and share them. If you would rather decide yourself which printers will be published and which ones will not, you can set this policy to Disabled and then publish your printers manually by selecting the “List in the directory” checkbox shown in Figure 2 above.

Note:
To manually publish downlevel (pre-Windows 2000) or non-Windows (e.g. Linux/UNIX) shared printers, right-click on a domain or OU and select New --> Printer using the Active Directory Users and Computers console.

If you’re experiencing intermittent problems with printers published in Active Directory, you can try enabling the Check published state policy setting to verify whether published printers are still present in Active Directory. If this setting is not configured, then the domain controller this policy applies to will check published printers each time it boots up, however you can enable the policy and configure it to check more often if needed. Configuring this policy setting to Never is the same as disabling it completely.

Pruning

Pruning is a process by which printers that are published but which are no longer available on the network are removed from the directory to prevent users from trying to print to non-existent printers. Pruning can be useful in an environment where printers are frequently being added, removed, or moved around, or where print servers occasionally go down or printers get turned off when not in use. The policies described below apply only to domain controllers in the domain, site or OU to which your GPO applies.
Allow pruning of published printers
If this policy is enabled or not configured, printers are automatically pruned (unpublished) when the computer that published them (the print server) can’t be contacted by the domain controller. This is helpful because it means users don’t waste time trying to locate and print to printers that are unavailable on the network. Then, when the printer becomes available again on the network, the print server automatically republishes the printer in Active Directory and it shows up again when users are searching for printers in their location.
By default, domain controllers try and prune printers every 8 hours. If a printer can’t be contacted for some reason, the domain controller tries twice more before pruning the printer from the directory. If these default settings aren’t suitable for your business environment, you can tune them further using the following two policies:

• Directory pruning interval
• Directory pruning retry

In addition, if your domain controller is heavily used then you may need to elevate the priority of the pruning thread to ensure the pruning function operates optimally. This can be done by configuring the Directory pruning priority policy setting.
If you are experiencing problems with the pruning process, you can enable the Log directory pruning retry events policy setting to help you troubleshoot things. Doing so will cause each pruning attempt to be logged as an event in the Event log. Disabling this setting or leaving it not configured will cause only successful pruning operations to be logged. Note however that this particular policy only applies to Windows XP and Windows Server 2003, and not to Windows 2000 machines.
Pruning downlevel (pre-Windows 2000) and non-Windows (e.g. Linux/UNIX) shared printers is handled by two another policy named Prune printers that are not automatically republished. If this policy is enabled or not configured, non-Windows and downlevel (NT and earlier) printers that have been manually published in Active Directory are never pruned. This setting can be modified to prune such printers when they become available, but doing so means you’ll have to manually republish them when they become available again, so it’s generally best to leave this policy alone and manually prune these printers from the directory when they are permanently removed from the network (you can do this by deleting the Printer object you previously created for them using Active Directory Users and Computers).

Searching

When you create a new printer and share it using the Add Printer Wizard you can specify a location and describe the use or properties of the printer (Figure 3):

Figure 3: Specifying a location for a printer

This location information is stored in Active Directory as an attribute of the Printer object associated with the printer (assuming the printer is being published in Active Directory). Users can then search for a printer based on text in the Location field (Figure 4):

Figure 4: Searching for a printer by location.

For searches like this to be successful however, the user needs to be able to specify the location properly. For example, if the user typed “third” instead of “3rd” then the search above would fail.
To simplify searches for nearby printers, you can implement location tracking, a feature of Windows 2000 and later. Then you can configure how location tracking is used so that users can more easily locate printers that are near to them on the network. The two policies that are used to configure location tracking are the Pre-populate printer search location text and Computer location policy settings. Using these policy settings causes a Browse button to appear beside the Location field in the Find Printers dialog box (compare previous figure with Figure 5 below):

Figure 5: Location tracking adds a Browse button beside the Location field in the Find Printers dialog.

Setting up location tracking in your Active Directory environments requires that you have Subnet objects created for each physical subnet on your network and location attributes defined for Site and Subnet objects. To learn how to set up location tracking, search for the topic “Enabling printer location tracking” using Windows 2000/2003 Help and Support. Once location tracking is set up on your network, users can find nearby printers so they won’t have to walk long distances (or perhaps book a flight) to pick up their print jobs from remote locations.
The second article in this series, entitled Managing Printers Using Group Policy: Part 2, will continue by examining additional machine policies for managing printers, user policies, and a third-party tool that extends Group Policy’s capabilities for managing printers.

---

موضوعات مشابه:

• بستن automatic search for network printers and folders in Windows XP در group policy
• Managing Hardware Restrictions via Group Policy
• Using Group Policy Filtering to Create a NAP DHCP Enforcement Policy
• Managing Outlook 2007 through Group Policies
• Using Group Policy Preferences to Map Drives Based on Group Membership

---

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/Managing-Printers-Group-Policy-Part2.html

PART-2

Machine Policies for Printers (Continued)

We’ve been looking at the machine policies used for managing shared printers on an Active Directory-based network (see Figure 1) and so far have examined policies relating to publishing, pruning, and searching for printers. Let’s look at the remaining machine policies and afterward move on to user policies.

Figure 1: Machine policies for managing printers

Miscellaneous

The remaining four machine policies we haven’t covered so far deal with several different matters, so let’s look at each of them separately.
Web-based printing When this policy is disabled, shared printers are not published on the web. What this means is that:

• Shared printers cannot accept incoming print jobs from clients who have submitted these jobs using HTTP.
• Shared printers cannot be remotely managed or have their properties viewed using a web browser.

Of course, none of this is possible anyway unless you’ve installed IIS together with its Internet Printing component on a server in your network (see article 313058 in the Microsoft Knowledge Base for more information about setting up Internet printing on your network). If you enable this policy or leave it not configured (and IIS with Internet Printing is installed, then you can manage printers from a web browser (Figure 2) and users can print to printers over the Internet. Note however that this policy only applies to Windows XP and Windows Server, and not Windows 2000 machines.

Figure 2: Managing printers using a web browser

Custom Support URL in Printers folder’s left pane To help users easily find information that can help them find and use printers in your enterprise and know what steps to take when printing problems arise, you can add a hyperlink to the Printers folder on their machines that can take them to a special Support website you’ve created that guides them in such matters.
Printer browsing On an Active Directory-based network, the Browser service is an unnecessary anachronism as is NetBIOS and WINS since the directory itself (together with DNS) can be used to locate printers and other items on the network. So if you have no legacy (Windows NT/9x) clients on your network then you can set this policy to disabled to prevent the print subsystem on print servers from announcing via the Browser service that printers are available. On the other hand, you can simply leave this policy not configured and such Browser announcements will be suppressed unless Active Directory should itself go down for some reason.
Disallow installation of printers using kernel-mode printer drivers By default Windows XP allows kernel-mode printer drivers to be installed, but Windows Server 2003 doesn’t. Kernel-mode drivers can crash the system and cause STOP messages (blue screens) if they are poorly written, so by enabling this policy you can prevent such printer drivers from being installed on your XP desktops. Note that this policy only applies to Windows XP and Windows Server 2003, and not to Windows 2000 machines.
Allow Print Spooler to accept client connections Disabling this policy will prevent users from sharing printers on machines to which this policy is applied. It has no effect however on printers that have already been shared on the machine. However, disabling this policy will also prevent the Spooler service on affected machines from receiving any incoming client connections to print. Note that for this policy to take effect the Spooler service must be restarted (or the machine rebooted). Also note that this policy only applies to Windows Server 2003, and not to Windows 2000 or Windows XP machines.
User Policies

User policies are Group Policy settings that are applied when users log on to their computers, and are usually used to govern the behavior of desktop computers whose Computer accounts reside in a domain, OU or site. There are fewer user policies for managing printers than there are machine policies, so let’s just look at them one at a time (see Figure 3). Most of these policies have to do with locking down printers i.e. preventing users from making a mess of their printer connections. The only problem with these lockdown policies is that there are ways to circumvent them if the user is knowledgeable enough, but for the average user they usually suffice to hold the fort.

Figure 3: User policies for managing printers

Note:
The policy names used here are those for Windows XP and Windows Server 2003. Some policies may be named differently on Windows 2000.

Prevent addition of printers If this policy is enabled, the Add Printers icon is missing from the Printers folder on computers affected by this policy (see Figure 4). It also prevents users from adding a printer by dragging it from a network share into the Printers folder.

Figure 4: The Add Printer icon is missing from the Printers folder

Prevent deletion of printers If this policy is enabled, users cannot delete printers from the Printers folder on their computers. This includes both local printers (connections to print devices connected to their computers through USB or LPT ports) and network printers (connections to shared printers on the network).
Browse the network to find printers Setting this policy to disabled prevents users from browsing the network to find shared printers when they are running the Add Printer Wizard to add a new printer to their machine. It doesn’t prevent them from typing the full UNC pathname to a shared printer though, so they can still add network printers if they know the explicit path to the printer they want to add.
Default Active Directory search path when searching for printers When users search Active Directory for printers, their search has to start somewhere. By default the starting point for such searches is Entire Directory, which can be daunting for some users if you have a complicated forest with many domains. To make things easier for them you can use this policy to change the starting point for their search to some other part of the directory such as the local domain or OU where the user’s account resides.
Browse a common web site to find printers To help users find printers in a large enterprise, you can use this policy setting to enable users to click a “Browse the Intranet” link when they use the Add Printers Wizard to add a new printer to their machine (see Figure 5). This link then redirects the user to a web page you have set up that helps them find the printer they need and connect to it.

Figure 5: The “Browse the Intranet” link redirects users to a web page where they can find the printers they need

Point and Print Restrictions If this policy is disabled then ordinary users can connect to shared printers using the point and print method. This is done by using Windows Explorer or My Network Places to open the Printers folder on the print server and then right-clicking on the shared printer you want to install and selecting Connect. The printer drivers you need will be automatically downloaded to your machine and a printer connection will be created to the network printer. If instead you enable this policy, you can restrict users so they can only use point and print to connect to printers in the forest in which their user account resides (or to a specific list of print servers in this forest). If the policy is not configured, users can only use point and print to connect to printers in their own forest. If it is disabled, they can connect to any shared printers anywhere. Note that this policy only applies to Windows Server 2003 and Windows XP Service Pack 1 or later machines. For more information on this policy see article 319939 in the Knowledge Base.
AutoProf Policy Maker Professional 2.0

One thing Group Policy doesn’t let you do is to assign printer connections to client machines simply by configuring a policy setting. This is unfortunate, and for most admins the workaround is writing a logon script to create the printers needed on their desktop machines. This logon script can then be assigned using Group Policy and when users log on to their machines they have the printers they need in their Printers folders. For more information on assigning logon scripts see my earlier article Using Logon Scripts in Pure and Mixed Active Directory Environments on this site.
If you want to create printers using a logon script however, a traditional batch file is not your best approach. A better approach is to use VBScript, which gives you much more flexibility for creating conditions based on group membership and so on. But to do this you need to know how to write scripts using VBScript and you need the time to do so.
AutoProf Policy Maker Professional 2.0 from AutoProf makes this unnecessary. This terrific tool extends Group Policy to let you easily do a ton of things you can’t normally do, and one of these things is creating printer connections on client machines (Figure 6):

Figure 6: Using AutoProf Policy Maker Professional 2.0 to automatically create printer connections on target machines using Group Policy